<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 10/20/2017 10:00 PM, Chris Marget
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAAG5dDB1D-V8-oJi6gxk6ouKGD6bM245=N3GVLSa4Whi8y5UmA@mail.gmail.com">
<div dir="ltr">I'm struggling with a PKCS7 signing operation using
openssl 1.0.2g.
<div><br>
</div>
<div>I want to create signed messages like the one in my
'original' file (below). It seemed like extracting and then
re-signing this message would be a good start.</div>
<div><br>
</div>
<div>I'm able to verify/unpack the original message, but not
able to sign the unpacked message to get back to where I
started. I have access to the signer's certificate and private
key.
<div><br>
</div>
<div>I hope somebody can point me in the right direction?</div>
<div><br>
</div>
<div>I'm extracting the message with:</div>
<div><br>
</div>
<div>
<p
style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span
style="font-variant-ligatures:no-common-ligatures">openssl
cms -verify -CAfile CA_cert.pem -inform pem -in original
-out extracted</span></p>
</div>
<div><br>
</div>
<div>I thought I'd be able to re-sign this message using
something like:</div>
<div><br>
</div>
<div>
<p
style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span
style="font-variant-ligatures:no-common-ligatures">openssl
cms -sign -md sha1 -in extracted -inkey signer_key
-signer signer_cert -outform pem</span></p>
</div>
<div><span style="font-variant-ligatures:no-common-ligatures"><br>
</span></div>
<div>This 'sign' operation completes successfully, but
produces an output that's missing the payload. Using the
same procedure to sign 1MB of random data produces a result
that's only 1396 bytes long:</div>
<div><br>
</div>
</div>
</div>
</blockquote>
<br>
I think you want to add the option "-nodetach"<br>
<br>
<blockquote type="cite"
cite="mid:CAAG5dDB1D-V8-oJi6gxk6ouKGD6bM245=N3GVLSa4Whi8y5UmA@mail.gmail.com">
<div dir="ltr">
<div>
<div>
<p
style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span
style="font-variant-ligatures:no-common-ligatures">dd
if=/dev/urandom bs=1M count=1 | openssl cms -sign -md
sha1 -inkey signer_key -signer signer_cert -outform pem
| grep -v -- -- | base64 --decode | wc -c</span></p>
<p
style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span
style="font-variant-ligatures:no-common-ligatures">1396</span></p>
</div>
<div><span style="font-variant-ligatures:no-common-ligatures"><br>
</span></div>
<div>Clearly this 'sign' function doesn't do what I thought it
did.</div>
<div><br>
</div>
<div>How can I sign blob of data so that it looks like my
'original'?</div>
<div><br>
</div>
<div>The files I'm using:</div>
<div>original <a href="https://pastebin.com/raw/CNPLyqcm"
moz-do-not-send="true">https://pastebin.com/raw/CNPLyqcm</a></div>
<div>CA_cert.pem <a href="https://pastebin.com/raw/HiE6gMTN"
moz-do-not-send="true">https://pastebin.com/raw/HiE6gMTN</a></div>
<div>signer_key <a href="https://pastebin.com/raw/tnCXeYHg"
moz-do-not-send="true">https://pastebin.com/raw/tnCXeYHg</a>
(the correct key, but not an actual secret)</div>
<div>signer_cert <a href="https://pastebin.com/raw/ACtTVHdp"
moz-do-not-send="true">https://pastebin.com/raw/ACtTVHdp</a></div>
<div><br>
</div>
</div>
<div>Thank you!</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<p><br>
</p>
</body>
</html>